diff --git a/argocd/applications/step-ca.yaml b/argocd/applications/step-ca.yaml new file mode 100644 index 0000000..dd6e3a5 --- /dev/null +++ b/argocd/applications/step-ca.yaml @@ -0,0 +1,13 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: step-ca + namespace: argocd +spec: + destination: + server: https://kubernetes.default.svc + project: default + source: + path: step-ca + repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git + targetRevision: master diff --git a/step-ca/README.md b/step-ca/README.md index a8f2100..9bd7c56 100644 --- a/step-ca/README.md +++ b/step-ca/README.md @@ -10,80 +10,39 @@ OpenID Connect, mTLS, and more. ## Offline Root CA -The *dch Root CA R2* private key is managed externally from Step CA. It is -stored offline (on a flash drive in a fireproof save). Only the CA certificate +The *DCH Root CA R3* private key is managed externally from Step CA. It is +stored offline (on a flash drive in a fireproof safe). Only the CA certificate is used by the online CA service, where it is provided to clients to include in as a trust anchor in their respective certificate stores. -*dch Root CA R2* replaces *dch Root CA R1*, which has not been used for some -time. +*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used, +and *DCH Root CA R1*, which has not been used for some time. ## Online Intermediate CA -Step CA manages the *dch CA R2* intermediate certificate authority. The +Step CA manages the *DCH CA R3* intermediate certificate authority. The private key for this CA is stored in the `intermediate_ca.key` file, encrypted with the password in `password`. This key pair is needed by the online CA to sign end-entity certificates. -## SSH CA +### ACME Provisioner -In addition to X.509 (TLS) certificates, Step CA can also manage SSH -certificates. These can be used in place of "plain" SSH keys that must be -managed out-of-band (i.e. `~/.ssh/known_hosts` and `~/.ssh/authorized_keys`). +Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol. +The CA will only sign certificates for names that map to addresses controlled +by the requesting client. For most machines, that means they can only get a +certificate for their hostname. Other names can be added using DNS CNAME +records. -Instead of maintaining a database of hosts' public keys, clients can trust the -CA certificate that signs the hosts' certificates. To do so, simply add a -single line to `~/.ssh/known_hosts`: +Only the `http-01` and `tls-alpn-01` challenges will work, since clients cannot +modify DNS server records. -``` -@cert-authority *.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ8KfNjDh0R/jCmPcJrVafvmuw5JZw+cKoy9RCYNwHsRwPoRHfyzjV1VUZolJfEz+Qm3u+mgYJ/oSquCelY84xE= -``` -Any host with a hostname that matches `*.pyrocufflink.blue` and presents a -certificate signed by the listed certificate will be automatically trusted; the -`ssh` client will not prompt for manual key verification on the first -connection. +### OIDC Provisioner -Similarly, hosts can trust client keys that are signed by the CA by *either* -adding the certificate to per-user `~/.ssh/authorized_keys` files *or* by -setting the global `TrustedUserCAKeys` parameter in the SSH server -configuration. - -`~/.ssh/authorized_keys`: -``` -cert-authority ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBImIoTTmhynCVy/vJ/Q2bWydzqVsvwhGvDgBbklw0eDt8UEbbP9HHPhxiMDtiAhbvRTg5BhYVAlR1MgdooT5dwQ= -``` - -`/etc/ssh/sshd_config`: -``` -TrustedUserCAKeys /etc/ssh/ca.pub -``` - -`/etc/ssh/ca.pub`: -``` -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBImIoTTmhynCVy/vJ/Q2bWydzqVsvwhGvDgBbklw0eDt8UEbbP9HHPhxiMDtiAhbvRTg5BhYVAlR1MgdooT5dwQ= -``` - -SSH host certificates are typically valid for 30 days, so hosts need to have -some automation in place to automatically renew their certificates. Using the -"SSHPOP" provisioner, hosts can use the `step ssh renew` command to renew their -certificates; existing signed SSH certificates are usable as authentication -credentials. - -SSH user certificates are typically valid for 24 hours. Clients will need to -request a new certificate every day using the `step ssh login` command: - -```sh -step ssh login --provisioner=authelia dustin -``` - -Note the `--provisioner=authelia` argument seems to be required, even if a -default provisioner is specified in `~/.step/config/defaults.json`. - -The final positional argument is the name of the *remote* SSH user, *not* the -user logging in to the OIDC IdP. +Step CA is configured to integrate with Authelia for OpenID Connect +authorization. Users can obtain personal certificates using this provisioner. ## NodePort Service (No Ingress) diff --git a/step-ca/ca.json b/step-ca/ca.json index 5bf2cb8..41fe141 100644 --- a/step-ca/ca.json +++ b/step-ca/ca.json @@ -8,28 +8,44 @@ "dnsNames": [ "ca.pyrocufflink.blue" ], - "ssh": { - "hostKey": "secrets/ssh_host_ca_key", - "userKey": "secrets/ssh_user_ca_key" - }, "logger": { - "format": "text" + "format": "json" }, "db": { - "type": "badgerv2", - "dataSource": "db", - "badgerFileLoadingMode": "" + "type": "bbolt", + "dataSource": "db/step.db" }, "authority": { - "enableAdmin": true, - "provisioners": [] + "claims": { + "enableSSHCA": false, + "disableRenewal": false, + "allowRenewalAfterExpiry": false, + "disableSmallstepExtensions": false + }, + "provisioners": [ + { + "type": "ACME", + "name": "acme" + }, + { + "type": "OIDC", + "name": "authelia", + "clientID": "step-ca", + "clientSecret": "", + "configurationEndpoint": "https://auth.pyrocufflink.blue/.well-known/openid-configuration", + "admins": [ + "dustin@hatch.name" + ] + } + ], + "backdate": "1m0s" }, "tls": { "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ], - "minVersion": 1.2, + "minVersion": 1.3, "maxVersion": 1.3, "renegotiation": false } diff --git a/step-ca/intermediate_ca.crt b/step-ca/intermediate_ca.crt index b7b7db0..2d9815e 100644 --- a/step-ca/intermediate_ca.crt +++ b/step-ca/intermediate_ca.crt @@ -1,13 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICCTCCAa+gAwIBAgIUOrt38QEPFGRaBSZgyuDNQPCLUZowCgYIKoZIzj0EAwIw -QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE -AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI4MDI0NzMwWhcNMjMxMDI4MDI0NzMw -WjAUMRIwEAYDVQQDEwlkY2gtY2EgUjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AAQ1rK98igj6Y5lbeP8HS1zqQCtkcmz8uk1jp4VgznWT3Q8BanjA55UHQi/xx4xz -BYu4QIkJhtqcR5a7YXSr7fQvo4GyMIGvMB0GA1UdDgQWBBQGy1GZZxrCjGDiIGdR -YhTMZZqhkTAfBgNVHSMEGDAWgBTM+d8kb1koGmKRtJs4gN9zYa+6oTASBgNVHRMB -Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBhjBMBggrBgEFBQcBAQRAMD4wPAYIKwYB -BQUHMAKGMGh0dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1yb290 -LWNhLmNydDAKBggqhkjOPQQDAgNIADBFAiADzZFTGwWNkwZF1U7uZEon7D6sLmCS -WGftl3/IgOrpwwIhAM8bE5UlY3gXt8AObj8VQgGk5Bh38jmOXnDaK0iRz1qm +MIICTzCCAgGgAwIBAgIUDNTFsSYYl8xsEcg9kTatxvOSkmUwBQYDK2VwMEAxCzAJ +BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD +SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjk0M1oXDTI1MDIxNzIwMjk0M1owOzEL +MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDESMBAGA1UEAwwJ +RENIIENBIFIzMCowBQYDK2VwAyEA50stJ8iW6/f+uECPxAJwpSfQDRQg4/AgKJY2 +lpd3uNijggEQMIIBDDAdBgNVHQ4EFgQUtiqtFaZZ/c4IfWXV5SjJIOPbmoowHwYD +VR0jBBgwFoAUtmjEAcG9apstYyBr8MACUb2J2jkwEgYDVR0TAQH/BAgwBgEB/wIB +ADALBgNVHQ8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwG +CCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly9kdXN0aW4uaGF0Y2gu +bmFtZS9kY2gtY2EvZGNoLXJvb3QtY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0 +dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1jYS5jcmwwBQYDK2Vw +A0EAACaKAJAKejpFXQV+mgPdDXaylvakc4rCEs1pFhPXbbMMGflNOeiiy+c+aMwt +yfObaZ8/YiXxCSjL6/KzRSSjAQ== -----END CERTIFICATE----- diff --git a/step-ca/kustomization.yaml b/step-ca/kustomization.yaml index 95e27c5..98f9995 100644 --- a/step-ca/kustomization.yaml +++ b/step-ca/kustomization.yaml @@ -3,9 +3,14 @@ kind: Kustomization namespace: step-ca +labels: +- pairs: + app.kubernetes.io/instance: step-ca + resources: - namespace.yaml - step-ca.yaml +- secrets.yaml configMapGenerator: - name: step-ca-config @@ -16,13 +21,3 @@ configMapGenerator: files: - root_ca.crt - intermediate_ca.crt - - ssh_host_ca_key.pub - - ssh_user_ca_key.pub - -secretGenerator: -- name: step-ca - files: - - intermediate_ca.key - - password - - ssh_host_ca_key - - ssh_user_ca_key diff --git a/step-ca/root_ca.crt b/step-ca/root_ca.crt index 6705c7a..e0235a5 100644 --- a/step-ca/root_ca.crt +++ b/step-ca/root_ca.crt @@ -1,12 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw -QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE -AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5 -WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD -VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D -NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD -Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6 -oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI -ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ -irIa697nfe4KiXIMwHlAMS1+1QZohFDC +MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ +BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD +SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL +MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO +RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU +T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G +A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL +0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4 +DaY+6wQ= -----END CERTIFICATE----- diff --git a/step-ca/secrets.yaml b/step-ca/secrets.yaml new file mode 100644 index 0000000..31e9626 --- /dev/null +++ b/step-ca/secrets.yaml @@ -0,0 +1,22 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: step-ca + namespace: step-ca + labels: + app.kubernetes.io/name: step-ca + app.kubernetes.io/component: step-ca + app.kubernetes.io/instance: step-ca + app.kubernetes.io/part-of: step-ca +spec: + encryptedData: + intermediate_ca.key: AgA4MOOCi8WvBSqyGw6T1wrK7zGgC7kvHYNpgZpZlBq3ZcW4l2d/huT7SbpIUQZN8OhLsgsZqK73VisFRsTG//KrMsJ+CCv6DSpaoEEL0LzUFWVldK27oZ3CDfAo6pZS50M8DSzcA7foxvw7++DSnytS9ken6qu2Azf3iFOFetES23XMT7IIFfcJz+qgBVGIOrxYULj19Y3EZD++kgRM22pCSrnoOQHJV3DOE6SjMZfg9Nhbg7Z5jrpsoM5w7QXd3g8jfsOS0Yv+95CL5SgTtJBAPqVi/2bK7nPuQxGFBy/qhwktzeeagOgFwe5McnEL0aB8K7GQEhOeIiHNSf/AAffronCdGapHQcthAA9CD3P4qXHogiY6x6JgqOXaZ3/BNF4gIlEJoJV36Z51BZUpZLakqOcxw2XNungITq4XMZqUybyqq/oHZEjcqqwSgeHtGJ7aaCAdV1AK4J8kNYXSs0+JcKU+1BzCDTB2YY1nT3uXz5g2d6eLlAe3S6pLDBdZGfyXv4e/nS9ouhdQm9qknNt2hqLAkm5u2g0C6MWYqgCKKdWQBg0JrLvN799zOj5FOGFOEa+gA2t6WwpVeiuo/6Xhn2WtkU710cXdblROM/DWoiI7YUxG4GsmzZOG/1TsbGTPoP1+evxD+VxCIOag6yxBCHnrpUVyCwdp7GLH/+72KyKClhJLb/ub/MKKVTlsWk0JhP3EhfvChO4tbeFMjeGt7afuKKghRt3ZXjAAZFW28qx5oLvirRoUSKOdEU+jE0RWFFeB0Qac9Hz9BFM5iAhdlcpGOOi5bGeMqR/nGlTRV9oUENeopiHBvVXfXr88yumVDE7FzXy4RyC4hypQFddS7kVR3MYoA9c6hWrCAAiuooOKa1JhdfhdlvlQij9PAJW921ClBBXcB2ykcivcrJd6GPAzCHOj6cQjUDeTwarKqZGf1PdtNnCsU1r1V0MOqyuhNjZZ4ZoGEGlq3r3TJY8Hh/+w//ZTpbvHpTUD2rhQjXuVyzqBpU2z5SoFt23U7sV/8+LizZMKfJl9fveJU/CbZ3bGC756ZhpHykbX7bgy9Q0iBg9ke1w+7lepsZVZKhlfnQ== + password: AgAspVB0c402ymidL6YoRTRtmPekLZHlQXtZecftoakjm75OArueAnH+1dquknV4MJ7g8XUVLkguh4lKkNPxjCs2Jen5UM+aSxoqii/2KdTAIb1WINebDOhyj3lY8aZw9+qeDfc5590+x+8jASwm7rVf6QfGygdjwQ6D6xeNUC7xwU3bC8xH9mHq2wSKbI6iGAik4Di7Ma4bvm/nTNfB+Ogb7rdLoJsvDDFbZ1io3wWNJGsWleged2HRPPwkmGq7pkxE2xUpjgbqeWX0y8RbNLC6DwsE3mUce9hanfLvxJVCDMnbUKfUYUxULBMFpheT6lmyz1YgFu+NiuSFvX3An4PNfgeQ2Hl931qfoG9h2kX4wyYcJt0ELZ2tdcrSS7zWgNNx450LuWmGQPvhApLhH2U7CUsSrjbWS/NZKMHuZryp0sEtykoEOOtNezU5slSY/0aB9XWFDu78RaYJOZy1VqGy+ulWkhCFv+3D2MEF6JJXmI4RNTdWmUQx1hr85uTS9Xi6stovkLMHxrEJfDI581yZv7Z9DrSssp5U4Ydf3gjKN7UTgFXrSz25R7SJ4lYso7yHhka9L2YMuIuPS7iPg1F+RPjiG6KAxP3roqRfeMXP3LoDn/21pYsO1QNrq2fBLXaO8Wq0hRXaICZzGveWdeM8sIbjBNqxjb50YtmkF/bDI8BY/sogPWitzDDyNU3bVS5Qyl0AaTHasGzJ9Es26Q4C0GHLd3iVQq0GTSsmtUbZGg== + template: + metadata: + name: step-ca + namespace: step-ca + labels: + app.kubernetes.io/name: step-ca + app.kubernetes.io/component: step-ca + app.kubernetes.io/part-of: step-ca diff --git a/step-ca/ssh_host_ca_key.pub b/step-ca/ssh_host_ca_key.pub deleted file mode 100644 index 5841ab9..0000000 --- a/step-ca/ssh_host_ca_key.pub +++ /dev/null @@ -1 +0,0 @@ -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ8KfNjDh0R/jCmPcJrVafvmuw5JZw+cKoy9RCYNwHsRwPoRHfyzjV1VUZolJfEz+Qm3u+mgYJ/oSquCelY84xE= diff --git a/step-ca/ssh_user_ca_key.pub b/step-ca/ssh_user_ca_key.pub deleted file mode 100644 index ab0f1b8..0000000 --- a/step-ca/ssh_user_ca_key.pub +++ /dev/null @@ -1 +0,0 @@ -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBImIoTTmhynCVy/vJ/Q2bWydzqVsvwhGvDgBbklw0eDt8UEbbP9HHPhxiMDtiAhbvRTg5BhYVAlR1MgdooT5dwQ=